Bug 1323549

Summary:	docker-selinux module error messages
Product:	[Fedora] Fedora	Reporter:	Lokesh Mandvekar <lsm5>
Component:	docker	Assignee:	Lokesh Mandvekar <lsm5>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	adimania, admiller, amurdaca, dwalsh, ichavero, jcajka, jchaloup, lsm5, lvrabec, marianne, mgrepl, miminar, nalin, vbatts
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-06-03 12:26:30 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Lokesh Mandvekar 2016-04-04 03:01:29 UTC

Description of problem:

$ sudo dnf install docker
Last metadata expiration check: 0:08:07 ago on Mon Apr  4 02:42:43 2016.
Dependencies resolved.
=================================================================================================================================================================
 Package                                Arch                           Version                                             Repository                       Size
=================================================================================================================================================================
Installing:
 docker                                 x86_64                         2:1.10.3-4.gitf8a9a2a.fc25                          rawhide                         6.7 M
 docker-selinux                         x86_64                         2:1.10.3-4.gitf8a9a2a.fc25                          rawhide                          66 k

Transaction Summary
=================================================================================================================================================================
Install  2 Packages

Total download size: 6.8 M
Installed size: 28 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): docker-selinux-1.10.3-4.gitf8a9a2a.fc25.x86_64.rpm                                                                        161 kB/s |  66 kB     00:00    
(2/2): docker-1.10.3-4.gitf8a9a2a.fc25.x86_64.rpm                                                                                4.7 MB/s | 6.7 MB     00:01    
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                            3.8 MB/s | 6.8 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : docker-selinux-2:1.10.3-4.gitf8a9a2a.fc25.x86_64                                                                                             1/2 
neverallow check failed at line 8831 of /var/lib/selinux/targeted/tmp/modules/100/base/cil
  (neverallow base_typeattr_12 unlabeled_t (file (entrypoint)))
    <root>
    allow at line 546 of /var/lib/selinux/targeted/tmp/modules/400/docker/cil
      (allow spc_t unlabeled_t (file (entrypoint)))
    <root>
    allow at line 828 of /var/lib/selinux/targeted/tmp/modules/100/sandboxX/cil
      (allow sandbox_x_domain exec_type (file (entrypoint)))
    <root>
    allow at line 1591 of /var/lib/selinux/targeted/tmp/modules/100/virt/cil
      (allow virtd_lxc_t exec_type (file (entrypoint)))
    <root>
    allow at line 1968 of /var/lib/selinux/targeted/tmp/modules/100/virt/cil
      (allow svirt_sandbox_domain exec_type (file (entrypoint)))

Failed to generate binary
/usr/sbin/semodule:  Failed!
  Installing  : docker-2:1.10.3-4.gitf8a9a2a.fc25.x86_64                                                                                                     2/2 
  Verifying   : docker-2:1.10.3-4.gitf8a9a2a.fc25.x86_64                                                                                                     1/2 
  Verifying   : docker-selinux-2:1.10.3-4.gitf8a9a2a.fc25.x86_64                                                                                             2/2 

Installed:
  docker.x86_64 2:1.10.3-4.gitf8a9a2a.fc25                                    docker-selinux.x86_64 2:1.10.3-4.gitf8a9a2a.fc25                                   



Version-Release number of selected component (if applicable):
docker-1.10.3-4.gitf8a9a2a.fc25.x86_64
docker-selinux-1.10.3-4.gitf8a9a2a.fc25.x86_64

How reproducible: consistent


Steps to Reproduce:
1. dnf install docker

Comment 1 Daniel Walsh 2016-04-04 13:10:58 UTC

This is a bug in docker-selinux and selinux-policy-targeted.

unlabeled_t should not have the attribute exec_type.  Which will get rid of most of the errors.  We can remove the transition from docker_t @unlabeled_t -> spc_t, but we need to fix docker to label devicemapper content by default as something other then unlabeled_t when SELinux is disabled inside the container.

Comment 2 Daniel Walsh 2016-06-03 12:26:30 UTC

Should be fixed in rawhide via changes to selinux-policy.